Edit: Okay, I saw your other post, ignore this answer. It won’t work.

Just to give you another way of doing it, I propose using “a third party provider” for your DNS, which you said you didn’t want, but since I think it could still work, I tell you how it would work:

Duckdns is a free provider for DNS and let’s you create standard certificates via let’s encrypt without exposing the rpi.

You can register for free and just input your local IP for the raspberry e.g. at charger8283.duckdns.org

Since the IP is local, no one outside your network can access it, but because the URL is registered globally, you can get a certificate using nginx proxy manager.

This would result in https traffic, that never leaves your local network and is also free.

Lemmy also allows you to edit your post afterwards, so you could still do it.